Topic

Questions

Answer

General

Can SSO be used in combination with a normal password login?

No. Our SSO system means that all users for a configured email domain will be required to use SSO to login.

General

Can I test SSO login before enabling?

Ansarada can enable SSO on a test domain first (e.g. test.example.com). You will need to have a mailbox configured for this test domain, in order to be able accept the invitation email.

General

What happens when our certificate is due to expire?

Ansarada will need to be notified ahead of time to arrange a manual rollover to the new certificate. We also monitor for upcoming certificate expiry and will notify you if a certificate is due to expire.

General

Do you support automatic certificate rollover?

No, not currently. We are always considering improvements in this area, so please let us know of your requirements.

General

Do you support SSO options other than SAML e.g. OIDC, WS Federation?

No, not currently. We are always considering improvements in this area, so please let us know of your requirements.

Federation

Does the application currently implement or support Federated Authentication via SAML 2.0 or OIDC?

Yes, SAML 2.0 is supported by default. OIDC is not currently supported.

Federation

Can the application support artifact binding per the SAML 2.0 binding specification?

We support HTTP redirect binding and HTTP post binding.

Federation

Does the application expose a web-based metadata endpoint for IdP (Identity Provider) consumption?

Yes, we generate a web-based endpoint per customer URL per customer. The endpoint for our customers will be available once the SSO setting up process will start and the needed information will be provided by the customer.

Example format from our QA environment:

https://auth.au.ansarada.com/samlp/metadata?connection=<unique_identifier_per_customer>

Federation

Does the application support signed assertions using RSA keys of at least 2048 bits or ECC keys of at least 256 bits in length?

We support RSA keys of 2048 bits.

Federation

Can the application generate digital signatures using SHA-2 hash functions that produce digests of at least 256 bits in length?

Yes

Federation

Does the application support HTTP communications over TLS? Which Version of TLS?

Yes, TLS 1.2 and 1.3

Federation

  1. Are the certificates signed by a Certificate Authority using RSA signing keys at least 4096 bits or ECC signing keys at least 256 bits in length?

  2. Are the certificates signed using a SHA-2 hash function that produces a digest of at least 256 bits in length?

  3. Do the certificates contain a RSA public key at least 2048 bits or an ECC key at least 256 bits in length?

  1. Yes, we support ECC 256 bit

  2. Yes, we support SHA-2 256 bit

  3. Yes, we support ECC 256 bit

Federation

Do TLS communications support perfect forward secrecy via ephemeral session key exchange? Do TLS handshakes involve a standard Diffie-Hellman key exchange?

Yes, we support both keyless SSL and Diffie-Hellman handshake.

Federation

Do TLS communications support strong cipher suites (such as an IANA recommended cipher suite)?

For IANA we support:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

For more supported algorithms:

https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support#h_5dbe8358-67b6-4575-b876-7e50dcec4c9f

Federation

Does the application support metadata endpoint monitoring with automated configuration updates?

No, nevertheless we have a status page the monitors Ansarada platform:

https://ansarada.statuspage.io/

Federation

Does the application support the use of multiple IdP certificates at any given time?

No

Access Management

Does the application currently implement or support Dynamic Session Management (Claims Based Authorisation)?

  • AwesomeCompany user identity and entitlement records exist only within AwesomeCompany systems and are never persisted in any third party systems.

  • AwesomeCompany IDP issues a SAML token with user identity attributes and entitlements specific to the third party application.

  • Third-Party STS (Security Token Service) issues a SAML token with entitlement claims passed-through from the AwesomeCompany IDP SAML token as-is without any mapping or transformation.

  • The third-party application depends solely on the SAML token for determining user entitlements at runtime.

  • Ansarada captures user identity such as the first name, the last name and the user email however we do not support entitlement records.

  • Ansarada persists identity information (first name, last name and user email) within platform services.

  • Ansarada doesn’t map/transform received identity information.

  • SAML token is used as authentication proof to login to Ansarada platform. The authorisation which product and services within Ansarada platform a user can access are managed in Ansarada products such as Dealroom (not using the SAML).

Access Management

Does the application currently implement or support On-Demand Provisioning using SAML Assertion?

Ansarada supports on-demand provisioning using SAML assertion.

Access Management

Does the application currently implement or support Automated Access Removal after a period of inactivity?

No

Access Management

Does the application currently implement or support SCIM based automated provisioning and de-provisioning?

No

Access Management

If SCIM support is not available, is there an alternate provisioning/de-provisioning API available?

No

Access Management

Does the API support establishment of all roles, including privileged roles (such as access administration, etc.)

No

Access Management

  1. Does the application provide a user interface for Direct Administration for AwesomeCompany workforce? Can this interface be SAML secured?

  2. Can this interface be enabled/ disabled based on AwesomeCompany’s requirements?

  1. Yes, we provide the Ansarada management area which is SAML secured.

  2. Yes, AwesomeCompany can decide who has access to the Ansarada management area.

Access Management

How does user access provisioning occur?

AwesomeCompany admin will be able to invite internal and external users to Ansarada platform

Access Management

Does the application provide alternate access mechanisms that do not require authentications with an IdP (for example, direct access break glass accounts for the restoration of service)?

Ansarada CS has access to Ansarada’s platform customer area.

Access Management

What is the maximum token validity period time that is accepted by the application?

60 minutes

General Implementation

Are any components of the application hosted on public cloud infrastructure, such as AWS, Azure?

Ansarada uses AWS public cloud infrastructure.

General Implementation

Where is the application IdP (relying party STS) hosted (public cloud, on-prem, other)?

Ansarada uses Auth0 (https://auht0.com) which is hosted at AWS public cloud infrastructure.

General Implementation

What devices can be used to access the application (PC, MAC, mobile, other)?

Any device with Internet access

General Implementation

Does the application provide non-web based access points (DB, OS, other)?

No

General Implementation

What channels can be used to access application (Internet, Internet with IP restriction, leased lines, VPN, other)?

All Internet-accessible application

General Implementation

Can partner applications (Kira, Luminance, etc.) use SSO to login?

By default, only the products that are part of the Ansarada Platform can use configured SSO.

Authentication

What is the application login URL?

app.ansarada.com which will redirect the user to a page that hosts the platform login page (dynamic URL) https://auth.au.ansarada.com/login

Authentication

What URL is used for the change password page (if available)?

Same as the login form

Authentication

Please list any browser restrictions if any. E.g. IE v11 or higher.

  • Chrome (latest)

  • Firefox (latest)

  • Safari (latest)

  • IE EDGE (latest)

  • IE (V11 or higher)

  • Opera (latest)

  • IOS Safari (latest 2 versions)

  • Chrome for Android (latest)

Connectivity Restrictions

Does the Third Party provide the capability to restrict connectivity to the application so that only traffic originating from the AwesomeCompany network is permitted?

Yes

Connectivity Restrictions

What capabilities are provided to restrict connectivity (e.g. IP restriction via whitelisting or use of Virtual Private Network (VPN))?

IP restriction via whitelisting

Connectivity Restrictions

Please describe the process for initiating and completing connectivity restrictions with AwesomeCompany and service level agreement (SLA) for establishing that restriction.

An authorised officer of AwesomeCompany to make a request to Ansarada support ([email protected]) requesting connectivity restriction via IP whitelisting, and to which projects it should apply to. The request will be completed within 24 hours.

Access Administration

Is AwesomeCompany permitted to log into the application and complete access administration?

Yes, if the AwesomeCompany personnel doing this has Administrator access to the deal room or management area that the user who needs to be access managed is in.

Access Administration

Does the application have any geographical restrictions that govern where security administrator users must be located in order to use the application?

Not as standard. Geoblocking can be applied on a per deal room or per management area basis.

Access Administration

What are the known limitations or exceptions for your application?

Invitations to deal rooms expire within 900 (nine hundred) days of the invitation being issued. Users must accept the invitation within that time otherwise will have to be issued another invitation.

Access Administration

How can the AwesomeCompany Security Administrator contact your helpdesk for support related to access administration and related activities?

https://www.ansarada.com/contact

Password Policies

What is the minimum password length?

At least 8 characters

Password Policies

What is the maximum password age (in days)?

Password time expiration is not supported

Password Policies

Does the password comprise of lowercase characters (a through z)?

Yes

Password Policies

Does the password comprise of uppercase characters (A through Z)?

Yes

Password Policies

Does the password comprise of base 10 digits (0 through 9)?

Yes

Password Policies

Does the password comprise of special or non-alphanumeric characters (@, #, +, etc.)?

Yes

Password Policies

What is the password cycle frequency?

The user can’t use the last 5 password

Please see more details:

https://auth0.com/docs/connections/database/password-options#password-history

Password Policies

After how many consecutive logins, will the account be locked?

We support brute force protection, please see the details below:

https://auth0.com/docs/anomaly-detection/references/brute-force-protection-triggers-actions

Password Policies

Does the password contain login ID?

Password cannot contain a part of the user’s email and cannot contain their first or last name.

Please see more details:

https://auth0.com/docs/connections/database/password-options#personal-data

Password Policies

Does the password contain any element of your full name?

Password cannot contain a part of an email or user name (first and last name)

Please see more details:

https://auth0.com/docs/connections/database/password-options#personal-data

Password Policies

Does password include any phrase from the firm maintained blacklist below?

Passwords from the common password lists are not allowed.

https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt ‑ Connect your account to preview links

Please see more details:

https://auth0.com/docs/connections/database/password-options#password-dictionary

Other

Can SSO be enabled for AwesomeCompany both internal and external users?

  1. AwesomeCompany admin will be able to decide on a user level (represented by user email) to assign/revoke access to the entire Ansarada platform/

  2. SSO can be enabled for all internal users (AwesomeCompany domain). External users access permissions can be managed by AwesomeCompany admin using the management area (please see the next paragraph ‘Management Area’).

  3. SSO is managed on the platform level. That is, the user is authenticated into our Platform (following SSO authentication). That authentication determines which rooms they will see/have access to or type of access. User access to rooms (rooms they can access and type of access they have) can be managed using the management area.

Other

What Ansarada management areas are for?

  1. AwesomeCompany admin will have centralised control to be able to create rooms and assign/revoke access permissions to those rooms for both internal and external users thus having a full user management control (= the second level of user management).

  2. AwesomeCompany admin will be able to decide who the admin will be (non-Ansarada). This can be centralised as one role or team as per your requirement.

  3. AwesomeCompany can have multiple management areas managed by different AwesomeCompany admins (non-Ansarada) for further centralisation if required.

Other

How can I see who has access to which room?

ABN admin will be able to log in to any room in the Management Area, and:

  1. View all room users in the browser UI.

  2. Export users to Excel.

On a regular basis, Ansarada will be able to produce a report about users (both internal and external) in ABN rooms. The following information is available:

  1. Name

  2. Email

  3. List of ABN rooms the user has access to

  4. Role (per room)

  5. Phone

  6. City

  7. Country

  8. Job title

Other

Does Ansarada support MFA for both internal and external users?

  1. MFA for internal users can be supported through SSO.

  2. MFA for external users is on Ansarada’s roadmap and will be available in October 2020.

Other

Please let me know the availability of Ansarada application in Azure Gallery.

Ansarada is not available as an application in Azure Gallery, nevertheless, we can configure Azure as an IdP for SSO

Other

Please confirm are you offering IdP initiated SSO or SP initiated SSO.

Ansarada supports SP initiated flows. IdP initiated flows are not currently supported.

Other

Can you supply configuration documentation that helps for Microsoft Azure?

We don’t have Azure specific documentation. Our documentation is generic for all IdPs.

We recommend configuring a custom Enterprise Application.

Other

Can SSO be enabled for individual users to test the SSO setup?

Unfortunately, Ansarada doesn’t have the capability to enable SSO for individual users. SSO works for email domains, when a user tries to login with a particular email, our platform detects if SSO is configured for the domain. One option we can suggest is to use a test domain. After successful verification, Ansarada will remove a test domain from the list of available domains for SSO.

Did this answer your question?